Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87348 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 31767 invoked from network); 28 Jul 2015 20:17:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jul 2015 20:17:15 -0000 Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.179 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 209.85.212.179 mail-wi0-f179.google.com Received: from [209.85.212.179] ([209.85.212.179:37885] helo=mail-wi0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B3/41-22108-843E7B55 for ; Tue, 28 Jul 2015 16:17:12 -0400 Received: by wibud3 with SMTP id ud3so174795646wib.0 for ; Tue, 28 Jul 2015 13:17:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=user-agent:in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:from:date:to:message-id; bh=kHI4myMZ7tWaEBDjBXp4ToMU6vbdTbCKSd/in6LIHVk=; b=HPoTJpQU/oXk3YXCqMVICC1Gk17RC4xITnRs+6UGL4TR9saXKxflTEdw6mwE00AqTn WO4y0IwEleUyWHugBPt3rbwtEh4CN/SLYHbeRN0Kc12kqWOFu33APqHbg8Wl1Mw3QMTm XMAnnb5r7hfsRl8Vc/fiPIHCPYKitlZrwsSaJnADVUCwcE8xcDKJz6vVJDqL5SzzmpDx byMoO4gOgLAhim5JHBSLVUwgTifbeE+3R9mULVKS4C0tE66TciHp50cTIiQJ9xQ7+QV2 levZRLk8X5MyUZcwOl3cIdwBzGvOvUa3uWYLBxh1gSz22HpEgpOM8Scz3khpg4t6RPSm Fddg== X-Received: by 10.180.206.176 with SMTP id lp16mr9981312wic.85.1438114629550; Tue, 28 Jul 2015 13:17:09 -0700 (PDT) Received: from [192.168.0.6] (cpc68956-brig15-2-0-cust215.3-3.cable.virginm.net. [82.6.24.216]) by smtp.gmail.com with ESMTPSA id pf4sm34895111wjb.23.2015.07.28.13.17.08 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 28 Jul 2015 13:17:08 -0700 (PDT) User-Agent: K-9 Mail for Android In-Reply-To: References: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----37N6IKEA8SD35K966IXGVHPQH6JOI8" Content-Transfer-Encoding: 8bit Date: Tue, 28 Jul 2015 21:12:27 +0100 To: internals@lists.php.net Message-ID: <041328F1-A94D-4B36-BF4F-ED1D9AEB98A9@gmail.com> Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack From: rowan.collins@gmail.com (Rowan Collins) ------37N6IKEA8SD35K966IXGVHPQH6JOI8 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 On 28 July 2015 18:33:31 BST, Matt Tait wrote: >Hi all, > >I've written an RFC (and PoC) about automatic detection and blocking of >SQL >injection vulnerabilities directly from inside PHP via automated taint >analysis. > >https://wiki.php.net/rfc/sql_injection_protection Have you searched the list archive and wiki for previous discussions and prototypes of variable tainting? The idea may well have some legs, but there might be some interesting points from previous discussions to note in your RFC. Also, 7.0 is already in beta, so your RFC will need to target 7.1 at the earliest. Regards, -- Rowan Collins [IMSoP] ------37N6IKEA8SD35K966IXGVHPQH6JOI8--